File Integrity Monitoring systems generate alerts when intruders make unexpected changes to the files on your servers – either by changing existing files or creating new ones.

Robust cybersecurity can be most effectively achieved by adopting a ‘defence in depth’ approach.  This means deploying several layers of protection, using different technologies so that the overlapping coverage means if any one layer of defence is defeated there remains at least one more level of protection.

Different technologies should be used so that the best possible chance of defeating an attack is provided. By using different approaches effectiveness is increased because if one system should fail to stop an attack, another technology may detect it because it works in a different way.  And this diversity of tools applies not just to the technical methods deployed but also the very design purpose of the tools. In particular, some security tools are designed to provide protection in order to prevent a breach whereas others are designed to provide detection of a breach should it occur.  Protection and detection are the two fundamental types of security control and technology – the first tries to prevent a breach, and the second identifies when a breach has happened as quickly as possible.

When a network intrusion is detected quickly, it minimises the opportunity for the attackers to survey the network and deploy malware and tools which would otherwise facilitate a persistent presence in your systems.

What is File Integrity Monitoring?

File Integrity Monitoring is class of technical control that detects changes made to files on your network that could indicate the presence of intruders.  With a typical network containing many thousands of critical files, it is not possible to manually check those files for unexpected changes – only an automated tool can provide the scale and speed of coverage needed.

File Integrity Monitoring (FIM) tools require careful configuration to ensure they are watching for changes to files that are not expected to change regularly – and where the existence of a change could be an indicator of compromise.  FIM tools typically come with template configurations which have the key files and folders for popular operating systems and applications already defined.

Why is File Integrity Monitoring helpful?

The presence of intruders in your network can be inferred by the changes they make on systems in order to either try to hide their presence or to facilitate lateral movement across the network or deploy a persistent backdoor into the network.

An intruder may attempt to alter or delete log files in order to remove evidence of their activity on your systems.  An FIM system would alert that a log file has been amended or deleted allowing security operations staff to investigate further.

Configuration files for applications, middleware and even security tools could be edited by an intruder in order to facilitate continued access to your network or to help exfiltrate data.  An FIM system would detect the changes to the usually static configuration files and raise an alert prompting an investigation by your security team.

The FIM system works by comparing an image of what each server’s filesystem ‘should’ look like and raises alerts when anything changes.

PCI-DSS mandates the use of File Integrity Monitoring in order to demonstrate compliance with clauses 10.5.5 (Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed) and 11.5 (Deploy a change-detection mechanism… to alert personnel to unauthorized modification … of critical system files, configuration files, or content files).  An FIM system can also aid the operational security controls required for ISO 27001 compliance.

How does a File Integrity Monitoring system work?

An FIM system works by comparing the current status of a file system with a known ‘good’ state – which means you need to start with a trusted system that is correctly configured. Then some form of snapshot is taken by the FIM software which is then used as a basis for future comparisons.  Modern FIM systems look beyond simple file attributes (such as file size and modification timestamps) and create a known cryptographic checksum which is compared against the calculated checksum of the current file in future integrity checks.

Integration with your Change Management system can simplify and expedite the clearing of alerts that are generated as a result of planned changes to files – such as a planned change to a configuration file for a web server.  The alert in the FIM system can be linked to the relevant record in the Change Management system and closed down accordingly.

The FIM system may be able to capture before and after images of the files it is monitoring, allowing changes to be reviewed and rolled forward and back in chronological order – a great help during forensic investigations and may allow the lateral movement of attackers through the network to be tracked.

Using a File Integrity Monitoring system can help reduce the amount of ‘dwell’ time enjoyed by intruders who gain access to your network before they are discovered. By detecting file creations (as intruders install the tools they will use in later stages of the attack) or changes made to configuration settings – the presence of intruders and the systems they are interacting with can be identified.

An FIM system can help you detect when servers on your network deviate from your known good security baseline – indicating either a mistake by your operations team or the actions of an intruder.

Before deploying an FIM system, servers should be hardened so you have confidence that the underlying system and configuration that is being protected is as secure as possible.

SecureTeam can help you define the security baseline for your servers through our secure configuration review services and conduct penetration tests to validate your server hardening and network security.